Scripted installation of Nextcloud 28 in iocage jail 2018-03-23

[sheenegarmi]

everything is fine. I’m a blind fool, I didn’t see an error in the site address. I have not decided to copy the configuration yet. Now everything works

 

[xames]

How i can make the web server more secure, i installed the script fine, but i see some extrange ip on logs connecting to my www.
I really don't understand how the ssl protection works.

Thanks.

 

[danb35]

I'm not aware of any settings to change to make the system any more secure--if I were, I would have incorporated them in the script. You can expect login attempts from all over the world. Ensure your passwords are secure.

 

[xames]

The best option is VPN, but its slow to some clients.... It could be fantastic to add "fdqn name" on the permited sources allowed to access nextcloud, with some apps in iphones or android like realdns it could be always actualized with the fdqn name.

 

[danb35]

I don't think I understand what you're talking about. There's no setting in Nextcloud or Caddy, AFAIK, to control the FQDN name(s) allowed to access the system.

 

[sobmalag]

Hi,
On FreeNAS-11.3-U1 I got this error:

mysqladmin: connect to server at 'localhost' failed
error: 'Access denied for user 'root'@'localhost' (using password: NO)'
Command: mysqladmin reload failed!
/usr/local/lib/php/20180731/redis.so: Undefined symbol "php_hash_bin2hex"
Command: su -m www -c php /usr/local/www/nextcloud/occ maintenance:install --database="mysql" --database-name="nextcloud" --database-user="nextcloud" --database-pass="4ohXCKEyVe2mX7YXU04L/g==" --database-host="localhost:/tmp/mysql.sock" --admin-user="admin" --admin-pass="SSj24lXa8zrP8nnu" --data-dir="/mnt/files" failed!
/usr/local/lib/php/20180731/redis.so: Undefined symbol "php_hash_bin2hex"
Command: su -m www -c php /usr/local/www/nextcloud/occ config:system:set mysql.utf8mb4 --type boolean --value="true" failed!
/usr/local/lib/php/20180731/redis.so: Undefined symbol "php_hash_bin2hex"
Command: su -m www -c php /usr/local/www/nextcloud/occ db:add-missing-indices failed!
/usr/local/lib/php/20180731/redis.so: Undefined symbol "php_hash_bin2hex"
Command: su -m www -c php /usr/local/www/nextcloud/occ db:convert-filecache-bigint --no-interaction failed!
/usr/local/lib/php/20180731/redis.so: Undefined symbol "php_hash_bin2hex"
Command: su -m www -c php /usr/local/www/nextcloud/occ config:system:set logtimezone --value="Europe/Bucharest" failed!
/usr/local/lib/php/20180731/redis.so: Undefined symbol "php_hash_bin2hex"
Command: su -m www -c php /usr/local/www/nextcloud/occ config:system:set log_type --value="file" failed!
/usr/local/lib/php/20180731/redis.so: Undefined symbol "php_hash_bin2hex"
Command: su -m www -c php /usr/local/www/nextcloud/occ config:system:set logfile --value="/var/log/nextcloud.log" failed!
/usr/local/lib/php/20180731/redis.so: Undefined symbol "php_hash_bin2hex"
Command: su -m www -c php /usr/local/www/nextcloud/occ config:system:set loglevel --value="2" failed!
/usr/local/lib/php/20180731/redis.so: Undefined symbol "php_hash_bin2hex"
Command: su -m www -c php /usr/local/www/nextcloud/occ config:system:set logrotate_size --value="104847600" failed!
/usr/local/lib/php/20180731/redis.so: Undefined symbol "php_hash_bin2hex"
Command: su -m www -c php /usr/local/www/nextcloud/occ config:system:set memcache.local --value="\OC\Memcache\APCu" failed!
/usr/local/lib/php/20180731/redis.so: Undefined symbol "php_hash_bin2hex"
Command: su -m www -c php /usr/local/www/nextcloud/occ config:system:set redis host --value="/var/run/redis/redis.sock" failed!
/usr/local/lib/php/20180731/redis.so: Undefined symbol "php_hash_bin2hex"
Command: su -m www -c php /usr/local/www/nextcloud/occ config:system:set redis port --value=0 --type=integer failed!
/usr/local/lib/php/20180731/redis.so: Undefined symbol "php_hash_bin2hex"
Command: su -m www -c php /usr/local/www/nextcloud/occ config:system:set memcache.locking --value="\OC\Memcache\Redis" failed!
/usr/local/lib/php/20180731/redis.so: Undefined symbol "php_hash_bin2hex"
Command: su -m www -c php /usr/local/www/nextcloud/occ config:system:set overwritehost --value="sobmalag.go.ro" failed!
/usr/local/lib/php/20180731/redis.so: Undefined symbol "php_hash_bin2hex"
Command: su -m www -c php /usr/local/www/nextcloud/occ config:system:set overwriteprotocol --value="https" failed!
/usr/local/lib/php/20180731/redis.so: Undefined symbol "php_hash_bin2hex"
Command: su -m www -c php /usr/local/www/nextcloud/occ config:system:set overwrite.cli.url --value="blabla" failed!
/usr/local/lib/php/20180731/redis.so: Undefined symbol "php_hash_bin2hex"
Command: su -m www -c php /usr/local/www/nextcloud/occ config:system:set htaccess.RewriteBase --value="/" failed!
/usr/local/lib/php/20180731/redis.so: Undefined symbol "php_hash_bin2hex"
Command: su -m www -c php /usr/local/www/nextcloud/occ maintenance:update:htaccess failed!
/usr/local/lib/php/20180731/redis.so: Undefined symbol "php_hash_bin2hex"
Command: su -m www -c php /usr/local/www/nextcloud/occ config:system:set trusted_domains 1 --value="sobmalag.go.ro" failed!
/usr/local/lib/php/20180731/redis.so: Undefined symbol "php_hash_bin2hex"
Command: su -m www -c php /usr/local/www/nextcloud/occ config:system:set trusted_domains 2 --value="192.168.1.228" failed!
/usr/local/lib/php/20180731/redis.so: Undefined symbol "php_hash_bin2hex"
Command: su -m www -c php /usr/local/www/nextcloud/occ app:enable encryption failed!
/usr/local/lib/php/20180731/redis.so: Undefined symbol "php_hash_bin2hex"
Command: su -m www -c php /usr/local/www/nextcloud/occ encryption:enable failed!
/usr/local/lib/php/20180731/redis.so: Undefined symbol "php_hash_bin2hex"
Command: su -m www -c php /usr/local/www/nextcloud/occ encryption:disable failed!
/usr/local/lib/php/20180731/redis.so: Undefined symbol "php_hash_bin2hex"
Command: su -m www -c php /usr/local/www/nextcloud/occ background:cron failed!
/usr/local/lib/php/20180731/redis.so: Undefined symbol "php_hash_bin2hex"
Command: su -m www -c php -f /usr/local/www/nextcloud/cron.php failed!
Successfully removed mount from nextcloud's fstab
Installation complete!

Any clue?

 

[danb35]

mysqladmin: connect to server at 'localhost' failed
error: 'Access denied for user 'root'@'localhost' (using password: NO)'
Command: mysqladmin reload failed!

This much is expected--I'm not entirely sure why, but I'm aware of it, and it doesn't appear to hurt anything.

/usr/local/lib/php/20180731/redis.so: Undefined symbol "php_hash_bin2hex"

This, however, isn't. It looks like there's a bug in the pecl-redis package. Best I can say is wait a few days (maybe keep an eye on the bug ticket) and try again once it's fixed.

 

[xames]

How I can use fail2ban on the apache logging to protect my jail from hackers?

 

[danb35]

You can't, because this doesn't use Apache.

 

[danb35]

/usr/local/lib/php/20180731/redis.so: Undefined symbol "php_hash_bin2hex"

This seems to be resolved by using PHP 7.4. The script has now been modified to do this. If your installation is already working, you don't need to do anything. If not, update the script by running git pull and run it again.

 

[sobmalag]

It's working now.
Thx.

 

[Dellyjoe]

Helllo Everyone,

I'm new to freenas and freeBSD currently have a nextcloud sever running that isn't https. I tired alot of different guides that work within the jail to install the certs and get a key and i'm able to get a key but never a cert. After that happens I then would not be able to access the IP of my nextcloud sever anymore and would have to uninstall from the gui and reinstall and start all over.

I now found this website with danb35 script to do everything I want and need.
However I'm worried that nothing is going to work b/c I have just been having problems after problems with other guides.

I have a couple of questions before I get started.
1. I have a pool set up with a jail running nextcloud and I have a dataset that points to my data. would I be able to use this script within the jail just for the Cert part and key of it?

2. Or should I save all my data uninstall everything and start over with this script given it automates everything, and if I do that will I be able to see the jail within the plugins page after the install is done on the gui or will it be behind the gui and I will have to ssh into the freenas box to see it?

3. I believe I have the my DNS sever set up in the correct matter, I'm able to use my domain name and get to my nextcloud sever. I'm using google domains and DNS severs. Given that I have tired to set up SSL and failed 4-5 times that being said is my domain name locked for x amount of time?

4. Is there a difference in installing from the GUI vs. ssh into the freenas sever and running a gclone command?

Thank you for reading,
I look forward to your response.

FYI: I'm dyslexic and have read this post 4 times I hope it makes sense to you.

Dellyjoe

 

[danb35]

would I be able to use this script within the jail just for the Cert part and key of it?

Not really. This script is designed to install a complete Nextcloud system, using Caddy as the webserver, and it's Caddy that handles obtaining and renewing the certs. You could, perhaps, put your jail behind a Caddy reverse proxy, and have that reverse proxy handle your TLS termination; I have a different resource describing that setup:

Reverse Proxy using Caddy (with optional automatic TLS)

Many users install a variety of web applications in jails on their FreeNAS servers, and often those applications run on non-standard ports like 6789, 8181, 7878, etc. These port numbers are far from intuitive, and the applications often either...

www.ixsystems.com

Or should I save all my data uninstall everything and start over with this script given it automates everything

That's another possibility. If you do that, make sure you save everything:

• The data itself (obviously)
• The database files
• The Nextcloud config file
• ...and any theme files, if you've used them

Create a database called nextcloud on your pool, and within that dataset, datasets of files, config, db, and themes. Put all the files into the appropriate datasets. Once the script finishes, you should be able to log in with all your users and data preserved.

if I do that will I be able to see the jail within the plugins page after the install is done

It won't show on the plugins page as it isn't a plugin, but it will show on the Jails screen. You shouldn't ever need to SSH into the system to deal with it once it's up and running.

Given that I have tired to set up SSL and failed 4-5 times that being said is my domain name locked for x amount of time?

In the worst likely case, you may have hit the "failed authorizations" rate limit--that resets after an hour. There's also a rate limit for no more than five identical certs/week, but if you've failed to issue the certs you wouldn't hit that one (that's also why my script uses the staging server by default; its rate limits are much higher).

Is there a difference in installing from the GUI vs. ssh into the freenas sever and running a gclone command?

I'm not sure what you mean here, unless "gclone" is your contraction for git clone, and refers to using my script vs. installing the plugin. If that's the case, there are a few major differences:

• My script sets up SSL, gets a trusted certificate, and automatically renews it
• I store all your data (all the stuff I told you to save above) outside the jail, on your pool--you can destroy and rebuild the jail without damaging your data. This also helps if your jails are stored on a separate device with less storage capacity than your main pool
• I use Caddy for the web server, rather than Nginx. Caddy's configuration is much simpler, and it handles all the SSL stuff automatically, under the hood.

 

[Dellyjoe]

Not really. This script is designed to install a complete Nextcloud system, using Caddy as the webserver, and it's Caddy that handles obtaining and renewing the certs. You could, perhaps, put your jail behind a Caddy reverse proxy, and have that reverse proxy handle your TLS termination; I have a different resource describing that setup:

Reverse Proxy using Caddy (with optional automatic TLS)

Many users install a variety of web applications in jails on their FreeNAS servers, and often those applications run on non-standard ports like 6789, 8181, 7878, etc. These port numbers are far from intuitive, and the applications often either...

www.ixsystems.com

That's another possibility. If you do that, make sure you save everything:

• The data itself (obviously)
• The database files
• The Nextcloud config file
• ...and any theme files, if you've used them

Create a database called nextcloud on your pool, and within that dataset, datasets of files, config, db, and themes. Put all the files into the appropriate datasets. Once the script finishes, you should be able to log in with all your users and data preserved.

It won't show on the plugins page as it isn't a plugin, but it will show on the Jails screen. You shouldn't ever need to SSH into the system to deal with it once it's up and running.

In the worst likely case, you may have hit the "failed authorizations" rate limit--that resets after an hour. There's also a rate limit for no more than five identical certs/week, but if you've failed to issue the certs you wouldn't hit that one (that's also why my script uses the staging server by default; its rate limits are much higher).

I'm not sure what you mean here, unless "gclone" is your contraction for git clone, and refers to using my script vs. installing the plugin. If that's the case, there are a few major differences:

• My script sets up SSL, gets a trusted certificate, and automatically renews it
• I store all your data (all the stuff I told you to save above) outside the jail, on your pool--you can destroy and rebuild the jail without damaging your data. This also helps if your jails are stored on a separate device with less storage capacity than your main pool
• I use Caddy for the web server, rather than Nginx. Caddy's configuration is much simpler, and it handles all the SSL stuff automatically, under the hood.

Thank you so much for helping me with this issue, I will take down my current nextcloud sever save everything, and then uninstall my current nextcloud sever. I then will set up a data set called nextcloud and within that i will make the following dataset's one for files, config, themes and db

I will have questions along the way, given I have read your install guide about 3 times and still have some questions on how to do somethings, but I will get to work on setting everything up.

Again thank you for your time so far.

Dellyjoe

 

[Dellyjoe]

Some more questions

when reading the Install guide I had a couple of question
"DNS hosting for the domain name needs to be with a provider that Caddy supports, to automatically update the DNS records needed to prove your control over the domain. See the Caddy documentation under the heading of "DNS Providers" for the supported providers, and what information you'll need in order to proceed. "

1.Then looking at the Caddy Documentation I find the DNS providers to be tls.dns.googlecloud. Is this the same as me using google domains I'm currently just using the Google default DNS ns-cloud-a1 -4 ? I', assuming yes but just wanted to double check

"Download the repository to a convenient directory on your FreeNAS system by running git clone https://github.com/danb35/freenas-iocage-nextcloud. Then change into the new directory and create a file called nextcloud-config. It should look like this: "

2.Should I download the git clone inside the dataset nextcloud?, also when it says to change into a new directory do you mean the new iocage nextcloud a.k.a the jail and then make a new file called nextcloud-config in that first layer ?

POOL_PATH="/mnt/tank" --> is this were just the pool is or also needs to point to the jail we just created?
HOST_NAME="YOUR_FQDN" --> is this in the format of www.example.com or just example.com

DNS_PLUGIN: If DNS_CERT is set, DNS_PLUGIN must contain the name of the DNS validation plugin you'll use with Caddy to validate domain control. See the Caddy documentation under the heading of "DNS Providers" for the available plugins, but omit the leading "tls.dns.". For example, to use Cloudflare, set DNS_PLUGIN="cloudflare".

3.Where would I set DNS_PLUGIN="googlecloud" will this be asked when the install happens or do i need to add this into the nextcloud-config file

DNS_ENV: If DNS_CERT is set, DNS_ENV must contain the authentication credentials for your DNS provider. See the Caddy documentation under the heading of "DNS Providers" for further details. For Cloudflare, you'd set DNS_ENV="CLOUDFLARE_EMAIL=foo@bar.baz CLOUDFLARE_API_KEY=blah", using your the email address of your Cloudflare account and your Global API key--the newer API tokens aren't currently supported.

4. I'm not sure what this is telling me. Do I need to make an Cloudflare account even though I'm using google domains?

Thank you for taking the time out of your day to answer these questions, I look forward to reading them and attuning to install later today

Dellyjoe

 

[danb35]

Then looking at the Caddy Documentation

I need to update that URL--use this instead:

Caddy User Guide

caddyserver.com

Is this the same as me using google domains

There I really can't help you--I remember hearing that Google Cloud DNS was something different than Google Domains, but I've never used either so I can't say.

Should I download the git clone inside the dataset nextcloud?

No. When I'm testing, I usually download it into the pool's root (e.g., cd /mnt/tank; git clone ...

also when it says to change into a new directory do you mean the new iocage nextcloud a.k.a the jail

What you just downloaded isn't a jail, it's a script to create the jail. And yes, you'd change into that directory.

POOL_PATH="/mnt/tank" --> is this were just the pool is or also needs to point to the jail we just created?

Again, we didn't create a jail, but no, this isn't the path to where we downloaded the script. It's just what the docs say: "the path for your data pool".

HOST_NAME="YOUR_FQDN" --> is this in the format of www.example.com or just example.com

Once again, it's just what the docs say: "the fully-qualified domain name you want to assign to your installation."

Where would I set DNS_PLUGIN="googlecloud"

In the nextcloud-config file. Like the docs say.

I'm not sure what this is telling me.

I'm not sure how to make it any clearer. Each DNS provider requires certain credentials. You will specify them in the DNS_ENV setting. What they are varies from provider to provider; I have no idea what credentials Google would want. You don't need to switch to Cloudflare for your DNS (though it works well and it's free), but if you do, since I use it myself, I know what those credentials would be.

 

[Dellyjoe]

I need to update that URL--use this instead:

Caddy User Guide

caddyserver.com

There I really can't help you--I remember hearing that Google Cloud DNS was something different than Google Domains, but I've never used either so I can't say.

No. When I'm testing, I usually download it into the pool's root (e.g., cd /mnt/tank; git clone ...

What you just downloaded isn't a jail, it's a script to create the jail. And yes, you'd change into that directory.

Again, we didn't create a jail, but no, this isn't the path to where we downloaded the script. It's just what the docs say: "the path for your data pool".

Once again, it's just what the docs say: "the fully-qualified domain name you want to assign to your installation."

In the nextcloud-config file. Like the docs say.

I'm not sure how to make it any clearer. Each DNS provider requires certain credentials. You will specify them in the DNS_ENV setting. What they are varies from provider to provider; I have no idea what credentials Google would want. You don't need to switch to Cloudflare for your DNS (though it works well and it's free), but if you do, since I use it myself, I know what those credentials would be.

Thank you for replaying Danb35, I just got everything backed up so now I will uninstall the nextcloud through the gui and attempted your install. , I also did some reason and found googlecloud is a little bit different they google domains and also did some research on Cloudflare, and it seems like a really good service so i switched over to it. now my sever runs though cloudflare's DNS severs.

To my question early where I didn't know where to put the DNS information is b.c the doc i was looking at showed only to add


JAIL_IP="192.168.1.199"
DEFAULT_GW_IP="192.168.1.1"
POOL_PATH="/mnt/tank"
TIME_ZONE="America/New_York"
HOST_NAME="YOUR_FQDN"
STANDALONE_CERT=1
CERT_EMAIL="me@example.com"

within the nextcloud-config file. so I'm assuming I will also add the

DNS_PLUGIN="cloudflare".
DNS_ENV="CLOUDFLARE_EMAIL=foo@bar.baz CLOUDFLARE_API_KEY=blah lines of code to it as well.
To the file.

Again that you so much for helping me with all my issue, I'm slowly making my way through it.

Now to begin the install
Dellyjoe

 

[Dellyjoe]

when running the script I got the following error,


mysqladmin: connect to server at 'localhost' failed
error: 'Access denied for user 'root'@'localhost' (using password: NO)'
Command: mysqladmin reload failed!

but then it finished and I went to my domain name and got the follow issue?

404 Site 10.0.0.39 is not served on this interface

Has anyone seen these before?

Thank you for reading,
Joe

 

[danb35]

mysqladmin: connect to server at 'localhost' failed
error: 'Access denied for user 'root'@'localhost' (using password: NO)'
Command: mysqladmin reload failed!

This is normal, or at least expected. Not a problem.

404 Site 10.0.0.39 is not served on this interface

You need to browse by FQDN, not by IP address.

 

[Dellyjoe]

Got the sever up and running and one more things to take care of

After running the command iocage exec nextcloud /root/remove-staging.sh i get the following, not sure if it worked or not.

root@freenas[/mnt/Tank1/freenas-iocage-nextcloud]# iocage exec nextcloud /root/remove-staging.sh
Stopping caddy.
Waiting for PIDS: 4373, 4373.
Starting caddy.

How would one know if they have the latest updated certs ?


Thank you for reading,
Joe